State of knowledge

June 2022 

ProCall Enterprise

Information about ProCall Enterprise 7.4.1

In ProCall Release 7.4.1 () the Yealink SDK (libyealinkusbsdk.dll) for call control was no longer shipped with the installation due to the reasons listed below. Please note that even if you update from 7.4.0 to 7.4.1, the SDK will no longer be installed.

Yealink is working hard to resolve the false positive virus alerts when using "sophos Central Intercept X Advanced with XDR".

As soon as a solution is available, the SDK will also become an official part of ProCall 7 Enterprise again.

Observation

After updating the ProCall client to version 7.4.0.5782, it no longer starts.

Sophos reports "Malicious exploit ROP in estos ProCall"

Reason

In ProCall version 7.4.0.5782 the new feature "Yealink Headset HID support" is built in, for this a Yealink SDK was included.

C:\Program Files (x86)\estos\ProCall\driver\x86\Yealink → libyealinkusbsdk.dll

What has estos undertaken

We scanned the DLL with Virustotal and nothing malicious was found:

https://www.virustotal.com/gui/file/0304941c189536da808287cace6418591b64be97e044382e318f4b4bd56a8154

We have contacted Yealink, the feedback on this is still pending.

What you can do?

Report it to Sophos to whitelist this DLL.

Workaround

There are the following three options:

  • Create an exception in the Sophos
  • A registry key can be set so that the SDK is not loaded when the ProCall client is started:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\ESTOS\UCServer4\CtiMain]
"AVAudioExcludeHidSdk0"="Yealink"
  • Delete the following folder on the client with the SDK (not update-safe):

C:\Program Files (x86)\estos\ProCall\driver\x86\Yealink

Further information

How can I manually install the Yealink SDK?